[ARL02-A10] News-TNK Cross Site Scripting Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Sat Mar 16 2002 - 17:01:36 PST

Next message: Ahmet Sabri ALPER: "[ARL02-A08] BG Guestbook Cross Site Scripting Vulnerability"

Previous message: Peter Gründl: "KPMG-2002005: BitVise WinSSH Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A10 ----/----------/+ +/-----------\----- salperat_private ---/-----------/+ Advisory Information -------------------- Name : News-TNK Cross Site Scripting Vulnerability Software Package : News-TNK Vendor Homepage : http://www.linux-sottises.net/ Vulnerable Versions: v1.2.1 and older Platforms : Linux Vulnerability Type : Input Validation Error Vendor Contacted : 15/03/2002 Vendor Replied : 15/03/2002 Prior Problems : N/A Current Version : v1.2.2 (immune) Summary ------- News-TNK is script to submit, validate, unvalidate, comment, delete news on a website. Available in French and English at the present time. A Cross Site Scripting vulnerability exists in News-TNK. This would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server. Details ------- The URL's and the user input seem to be filtered pretty good. But I guess that the coders have missed a point. The "WEB" input when replying or creating topics, is not filtered enough. So a Cross Site Scripting vulnerability exists in News-TNK. Example input for the "WEB" input <script>alert("ALPERz was here!")</script> After submitting this information, whenever anyone browses the page where the news message is, the malicious code will take effect. Solution -------- The vendor replied to my mail and released a new version which is immune to this vulnerability very quickly (on the same day :}) You may download the new version or use the method suggested by me, and approved by the vendor, if you have made any modifications to the news applet. Strip HTML tags, and possibly other malicious code within "news_post.php" (or "news_post3.php). I suggest the following as a workaround; At the beginning of "news_post.php" add the lines below; # Patch Start $web=strip_tags($web); # Patch End More info about the new version and patches can be found at: http://www.linux-sottises.net/software.php Credits ------- Discovered on 15, March, 2002 by Ahmet Sabri ALPER salperat_private http://www.olympos.org References ---------- Product Web Page: http://www.linux-sottises.net/

Next message: Ahmet Sabri ALPER: "[ARL02-A08] BG Guestbook Cross Site Scripting Vulnerability"
Previous message: Peter Gründl: "KPMG-2002005: BitVise WinSSH Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 17:55:16 PST